Hi - I’ve got myself in a dependency tangle but I don’t understand what exactly’s gone wrong, hoping somebody will be able to point me in the right direction please? I’m getting this warning from gradle for a large number of dependencies in my builds:

The dependency resolution engine wasn't able to find a version of module org.springframework.boot:spring-boot-starter-web which satisfied all requirements bec
ause the graph wasn't stable enough. The highest version was selected in order to stabilize selection.

I’ve reproduced this with a minimal setup in gradle 8.14.2, with a Java project:

dependencies {
  implementation platform("org.springframework.boot:spring-boot-dependencies:3.4.0")
  implementation platform("com.fasterxml.jackson:jackson-bom:2.18.0")

  api "org.springframework.boot:spring-boot-starter-web"

  api project(":submodule")
}

where the dependencies of submodule are simply:

dependencies {
  api "com.fasterxml.jackson:jackson-bom:2.18.0"
}

The important features appear to be: • The explict

api

dependency on spring-boot-starter-web must be lower than the spring boot BOM pulls in (or absent). If I pull in a version >= the BOM version (3.4.0) then no warning appears. • Same for the jackson-bom dependency, this must be < the jackson-bom version that spring boot pulls in (2.18.1). • To get the warning - BOTH the

api

dependency on jackson-bom AND the transitive BOM dependency through

submodule

have to be lower than spring boot’s version. If either of them pulls in a >= version then the warning disappears. It’s a convoluted scenario and easily fixable - in reality this is a large mesh of enterprise libraries so I’m trying to understand exactly what’s going on here so I can figure out how best to sort it out long term. My specific questions are: 1. I can see how resolution of jackson-bom could be complicated (also seeing warnings for this), but I don’t understand how this affects spring-boot-starter-web. That seems like a completely unrelated part of the dependency tree - is whatever’s gone wrong with jackson simply causing havoc for the whole resolution process? 2. Although I know I’m not using the bom correctly, I don’t actually see why this is causing a problem. Shouldn’t the dependency graph still be an easy conflict resolution between versions 2.18.0 and 2.18.1? spring-boot-starter-web does also depend transitively on jackson-bom, which I’m sure must have something to do with it. Can anyone see where I’m getting confused please? Full project tarball attached.